Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
936
Views
4
Helpful
5
Replies

ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

Patrick de Bruin
Level 1
Level 1

‎08-25-2014 05:18 AM - edited ‎03-10-2019 09:58 PM

I'm trying to achieve the following for our employees, contractors and guest.

 

Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.

  • contractors (ldap contractor group) -> webauth -> internet
  • guest (internal ise db via sponsorportal) - webauth -> internet

 

Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours. 

  • employee (ldap employee group) -> webauth -> nsp -> internet

 

In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 

 

I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated. 

 

 

Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.

Labels:
Preview file
17 KB
0 Helpful
5 Replies 5

Ali Koussan
Level 1
Level 1

‎12-04-2014 05:20 AM

Hi Patrick,

I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.

for the devices registration , I have set  the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 

my authorization rules as follows :

1- rules name : Vendor-wired  :  identity : registerddevices AND identitygroup: VENDOR  authorization profile: VENDOR-ACCESS

2-  rules name : WIRED-CWA  :  identity : any  condition: device-type:SWITCH  authorization profile: CWA-PORTAL

It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .

did you find any hint for this problem ?

 

 

 

 

 

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee
In response to Ali Koussan

‎12-04-2014 08:48 AM

Is this a distributed deployment?  How many PSNs?  Does the redurect URL point to a static IP?

What is the version and patch level for the ISE?  WLC Code?

Best practice is not to set static IP in the redirect URL and let the PSN responding to
RADIUS to automatically be the one to which subsequent CWA requests are sent.  Otherwise,
the other PSN will have no knowledge of the session and will loop as shown.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

Ali Koussan
Level 1
Level 1
In response to Charlie Moreton

‎12-04-2014 09:18 AM

Hi Charles 

in my case , it is wired and it is two nose deployment not distributed .

ise 1.2.1 with last patch 

url redirection is working fine , supplicants provisioning is ok , device registration is also fine . 

But after the user login he is redirected again to the portal .. The device is shown under registred devices , but the autho rule 2 is not being hit after user login .. The strange thing is that when I try again , the device registration portal ask again to register .. Although the device is under registred devices ...

i have no clue what's going on.,

 

 

0 Helpful

alberx
Level 1
Level 1
In response to Ali Koussan

‎10-19-2015 02:23 AM

Hi, I had simmilar issues with my WLC. Finally I realized the ISE PSNs and WLC had a firewall between them.

So CoA through port 1700 from PSNs to WLC was closed. I had to open it for the CoA from PSNs to WLC could change the state of the connected client. And the loop finished.

I hope this helps.

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎12-04-2014 10:01 AM

Hi Patrick. It has been a while since I have done web based device provisioning but from what I remember, I had to create two individual web portals: 1 for standard guest access and 1 for the device provisioning. I had to do this because having the "provisioning flow" option enabled caused issues for standard guests that were not doing device onboarding. 

 

Thank you for rating helpful posts! 

0 Helpful
Customers Also Viewed These Support Documents